AI Laws in South Dakota (SD)

What companies in South Dakota need to know about AI compliance

South Dakota remains in the "no dedicated AI law" cohort as of 2026-04-22 — south dakota has focused on data broker bills but no ai-specific statute; monitoring minnesota hf 4654 effective 2026-08-01. Operators across sectors in South Dakota watch federal signals first.

Federal law still governs Cross-Sector AI in South Dakota primarily through FTC Section 5 (15 USC 45) and NIST AI RMF 1.0. Adjacent federal authorities include Gramm-Leach-Bliley Act (GLBA) / NIST Cybersecurity Framework (15 U.S.C. § 6801-6809; NIST CSF 2.0); California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA) (CA Civil Code §§ 1798.100-1798.199); General Data Protection Regulation (GDPR) (for EU users) (EU Regulation 2016/679). Gramm-Leach-Bliley Act (GLBA) / NIST Cybersecurity Framework (enforced by Federal Trade Commission; NIST) applies to saas platforms handling personal/financial data via ai must implement nist csf security standards: identify, protect, detect, respond, recover. Penalty exposure: ftc civil penalties up to $100,000/violation; private litigation for data breaches. FTC Operation AI Comply (Sep 2024) targeted five companies across sectors.

Three neighboring regimes create compounding exposure: Minnesota (HF 4654 — AI Transparency Act, penalty Civil penalties), Iowa (AI in Government Act, penalty Administrative), and Montana (Consumer Data Privacy Act (AI provisions), penalty Up to $7,500 per violation). Multi-state Cross-Sector operators headquartered in South Dakota default to the strictest stack.

Because South Dakota has no dedicated AI statute, regulatory obligations fall back to no comprehensive privacy statute layered with federal sector-specific rules.

The federal and neighboring-state framework that governs your AI operations. Cross-Sector operators in South Dakota operate under a federal-dominant framework anchored by FTC Section 5 (15 USC 45) and NIST AI RMF 1.0, with adjacent authorities Gramm-Leach-Bliley Act (GLBA) / NIST Cybersecurity Framework (15 U.S.C. § 6801-6809; NIST CSF 2.0); California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA) (CA Civil Code §§ 1798.100-1798.199); General Data Protection Regulation (GDPR) (for EU users) (EU Regulation 2016/679). FTC Operation AI Comply (Sep 2024) targeted five companies across sectors. The practical risk they have to price in is cross-sector FTC Section 5 exposure and state UDAP liability, and the bellwether signal to monitor is NIST AI RMF 1.0 (Jan 2023) is cited as the federal baseline across 30+ agency guidance documents. Minnesota -- HF 4654 — AI Transparency Act sets the de-facto regional floor. South Dakota has focused on data broker bills but no AI-specific statute; monitoring Minnesota HF 4654 effective 2026-08-01. Use this as a starting point; sector pages on this site go deeper into industry-specific obligations.

The enforcement surface for Cross-Sector centres on FTC, CFPB, State Attorneys General, and the statute operators most often under-document is California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA) (CA Civil Code §§ 1798.100-1798.199) — a gap that surfaces in cross-sector FTC Section 5 exposure disputes. Build an evidence binder covering AI inventory, risk-tier register, incident-response runbook, and board-level AI risk report. Treat NIST AI RMF 1.0 (Jan 2023) is cited as the federal baseline across 30+ agency guidance documents as your leading indicator and escalate when the signal shifts.

With 11-50 employees you can justify a half-time compliance lead and part-time external counsel on retainer. Small-stage Cross-Sector operators should deploy a named compliance lead, formal AI inventory, quarterly bias spot-checks, and a documented escalation path, with semi-annual internal audit with annual external review and ownership resting with a designated AI compliance lead reporting to the CEO. small-business budgets ($50K-$250K) justify a compliance lead plus a GRC tool such as Credo AI, Fairly, or Holistic AI. For Cross-Sector specifically, the sharpest exposure to manage is cross-sector FTC Section 5 exposure and state UDAP liability. Given South Dakota's concentration in agriculture, financial services, and tourism, livestock-tracking AI and credit-card-industry algorithmic underwriting deserve priority in your AI inventory.

Verified 2026-04-22. See https://sdlegislature.gov/ for the South Dakota Attorney General public record on South Dakota AI policy.

The EU AI Act applies to any company serving EU customers, even if you're based in South Dakota. Penalties reach €35M or 7% of global revenue. Deadline: August 2, 2026.